As the time approaches for the implementation of the General Data Protection Regulations (GDPR) on 25 May 2018, many businesses still need clarification on how it might affect them and what steps they should be taking. In this feature, Andrew Woolfall answers some common questions raised in the run-up to the legislation coming into force and explains some of the GDPR terminology.
It is important to emphasise, as highlighted in Andrew Woolfall’s previous feature article on Data protection regulation (GDPR) and commercial transport, these new GDPR regulations are likely to affect every business within Europe. It is difficult to think of the organisation that will not, to some extent, hold relevant data and therefore be caught by the new rules.
“Data controllers” and “data processors”
The GDPR covers “data controllers” and “data processors”. Data controllers are those businesses or organisations that hold other people’s data and decide how it should be processed. “Data processors” are those that perform tasks with the data. A business can be both a controller and a processor. For example, a transport company might hold the driver’s tachograph data. In this capacity, they are the “controller”. If they analyse the data in-house, they are also the “processor”. However, if they use an external agency to perform this role, that second business then becomes the “processor”.
Transport businesses will hold myriad of different types of data from employee records, tachograph or maintenance information, details of third parties or suppliers, etc. See Andrew’s previous feature for more detail. This information will invariably be held as either a data controller or processor and therefore the business will be caught by GDPR.
“Data subjects” — whose data is covered by the GDPR?
The GDPR is aimed at protecting the personal data for what is defined as “data subjects”. In reality, this means individual persons who are either identified by that data or who can be easily identified from it. They must, however, be living persons — the data of those who have died is not covered!
As is said above, the regulations include the data of those who may not be immediately identified from the contents but who can still be readily identified by several pieces of information together. This might include somebody’s forename and date of birth which, when combined together, would easily identify the person concerned. It could even include closed-circuit television (CCTV) footage of a driver who, while his face cannot be seen, can otherwise be identified from his or her personal hi-vis clothing!
In a transport business, “data subjects” will include all employees, whether drivers, fitters or office staff. It will also cover agency or self-employed drivers, external contractors and their employees as well as customers and suppliers.
However, the regulations do not just apply to data relating to individuals. They also cover data belonging to businesses that are made up of individuals such as a partnership, a limited liability partnership (LLP) or a small limited company — for example, a company where there is one individual who is the sole director and the sole shareholder. This scenario is certainly not uncommon in many smaller transport companies where one person is owner and sole director — so if you use this type of operator as a subcontractor, all the data from that business will also be caught!
What type of data is caught up in the GDPR? Is it just computer records?
The GDPR covers all forms of data. It is not just restricted to information held on a computer. It can cover paper records, photographs, CCTV footage, sounds (such as audio recordings) or any other type of information which relates to an identifiable individual. Within a transport company, this could include maintenance records, driver defect sheets, HR files, dashcam footage, clocking on cards, etc. It is essentially any data from which an individual can be identified.
What rights do individuals have under the new GDPR legislation?
The new regulations give individuals a number of new or enhanced rights. These include the following.
The right to be informed — this is effectively telling individuals what data will be collected on them and how it will be processed. For staff in a transport company, this will involve having clear statements in contracts of employment, company handbooks or data processing policies that information will be collected and subsequently processed, for example, with regards to driving licence details or training records that will be checked and stored, that vehicle tracking data is collected and may, from time to time, be referred to, that CCTV is used and footage kept, etc. The individual has a right to know what information is going to be held and what will happen to it. If the information is going to be passed on to a third party, they have a right to know that this will happen and who it will be passed onto — for example, the use of an external tachograph analysis company. The individual also has a right to know how long the data will be kept before it is deleted.
The right of access — this is the right for individuals to make what are known as “subject access requests” to a data controller for confirmation as to what information the business holds on them.
A right of rectification — this is the right to have any incorrect information changed. If the data controller has passed the information on to a third party, the controller must also make sure that any other business that holds the data is informed of the need to change the information to bring it up-to-date. Going back to the example of external tachograph analysis, if the operator has made incorrect manual entries for a driver on the tachograph analysis system, that driver has a right to insist that the operator corrects this information and advises the third-party analyst accordingly.
The right to be forgotten — this is the right for an individual to ask that their records are deleted. This is not, though, an absolute right and needs to be balanced with the businesses own legal obligations — for example, a driver who leaves a company cannot insist that he is immediately forgotten when the operator by law might have to keep drivers’ hours data and vehicle defect sheets for at least a further 15 months (or more depending on the undertakings on the operator’s licence). This business will be entitled to keep the information it is legally obliged to hold (or which it can show a legitimate business reason for retaining) but will have to delete information that is no longer required.
The right to restrict processing — this is the right for individuals to specify what can and cannot be done by a data controller with the information that they hold. Again, though, this has to be balanced with the other obligations on the business — for example, a driver could not insist that the operator did not retain footage of him having a crash, when that CCTV evidence might well be needed in legal or disciplinary proceedings.
The right to data portability — this is the right to be provided with a copy of the data so as it can be transferred easily, by the individual, to another company or business. For a driver leaving the business, this might involve providing copy training records or even tachograph/drivers’ hours analysis which can then be taken to a new employer.
What are the key obligations on businesses?
The GDPR places numerous key obligations on businesses. These include ensuring that:
personal data is only processed lawfully, fairly and in a transparent manner; this essentially means that a business must hold the data in accordance with one of the six permitted lawful grounds; these include a requirement to hold the data for a contractual purpose, to pursue a legal obligation, in pursuance of a legitimate business interests and, of course, on the basis that the individual has consented
data is only collected in accordance with specified, explicit and legitimate business purposes; this essentially means it is only collected and handled in accordance with information given to the data subjects; if it is given for one purpose, for example, to enable a contractual obligation to be fulfilled (such as a driver giving his home address), it cannot be used for another purpose (such as passing the information on to a third party who then sends marketing information to that home address)
all information is accurate and where necessary kept and to date; this essentially speaks for itself and ties in with the individual’s right to rectification
the data is kept in a form which permits identification of data subjects no longer than is necessary; this may mean, for example, if CCTV footage is retained for future training purposes, a driver’s face may have to be pixelated so that he or she can no longer be identified
data is processed in a manner that ensures appropriate security; this means that a business must ensure that the data is properly protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
In addition to all of the above, the GDPR also requires that the data controller should be responsible for, and be able to demonstrate, compliance with all of the above principles. In reality, this means that an organisation will need to have a data asset register, clear data processing policies and evidence of the steps that they have taken to ensure that their obligations have been met.
What should my business be doing now?
The clock is now ticking down on GDPR and at the time of writing, there are less than 40 working days before the legislation comes into effect on 25 May. Any business that has not already started to tackle the issue should act fast. The steps needed to be taken include the following.
Ensure that the business is actually registered with the Information Commissioner’s Office (ICO). At the present time, there is a legal obligation for all those who control data to be registered with the ICO.
Organisations should ensure that their staff are trained on GDPR and data protection in general.
The organisation should then conduct a data audit. This involves out all the different types of information that is held and more importantly why. It involves reviewing and listing all the different types of data including HR data, operational information, supplier and customer data. It will include all digital information such as drivers’ hours and tachograph records, vehicle tracking data and other telematics. Paper records such as maintenance files, delivery documentation or customer manifests will also have to be included. Driving licence information and training records will also feature in the lists.
Once the business has a list of all the different types of personal data that it holds, it then needs to determine the lawful basis for holding each type — which of the six permitted grounds for holding and processing data is being relied upon. Any data that is not lawfully held should be deleted.
Where the business relies upon consent as the ground for holding data, thought should be given as to whether new GDPR compliant consent must be obtained. Many transport companies often think that they need consent from drivers to hold details of driving licences and training. This may not be the case — the employment contract relationship may be a better alternative. However, new consent may be required if, for example, the business sends marketing emails to customers — for example, a coach company sending out information about forthcoming tours or holidays.
Businesses should also take this opportunity to review data security — who is responsible for and who can access the information. This includes physical security of data to ensure that only those that need to, can access information. Questions to ask yourselves include the following.
Can anybody access maintenance files or a driver’s tachograph data?
Who can access tracking data and do they need to?
Can anybody easily see drivers’ hours infringement letters?
Thought should also be given to the likelihood of data being “hacked” and the use of other data protection measures such as encryption. Many operators might not think that their computer systems are a target for hackers but data is a commodity that can be sold — there will always be a buyer for information ranging from employee’s names, dates of birth, home addresses and postcodes to customer lists, contact information or even workshop files. Steps should be taken to ensure that the unintended sharing, loss or destruction of data is avoided.
The business should also look to review staff contracts and handbooks, customer and supplier contracts and data processing policies and notices. Consideration should be given to developing a breach notification procedure — if there is a data breach, under GDPR, this must be reported to the ICO within 72 hours and a written procedure will certainly help to ensure this deadline is met.
What about the data from my business that is held by or processed by third parties?
The GDPR places strict controls on the sharing and transfer of information. If you are going to send information to a third party then the data subject must be advised and in some circumstances, they must also consent.
The GDPR also heavily restricts the transfer of data outside of the European Economic Area (EEA). If you do use a third party to either store or process data then you should take steps to find out what will they do with the information and where they store it. This is particularly relevant to information such as tachograph analysis data, tracking data, online maintenance records or remote CCTV footage. It could also include CRM systems or even files and information you post yourself to “cloud” sites like Dropbox, OneDrive or iCloud. Many suppliers of cloud-based services have traditionally stored this kind of information in the cheapest locations such as Asia, the Far East or the Americas. This is no longer permitted and you should speak to all your third-party suppliers to ensure that unless the very specific exemptions are met, the information is now kept within the EEA.
Does this all mean we need even more paperwork?
This all depends as to how compliant your business or organisation currently is with regards to the Data Protection Act 1998 and other relevant regulations! Data controllers will certainly have to have a data asset register and data processing policies in place (for both internal and external information), data security policies and ideally data protection breach reporting procedures. They may also have to do review, revise or develop email, internet and social media policies. Staff handbooks and contracts of employment will need reviewing and revising.
There is a lot that now needs to be done before 25 May!
Last reviewed 28 March 2018